Coming soon to GitHub Marketplace

Detect evil merge commits
before they ship

Evil Merge Detector finds merge commits that introduce changes not present in either parent branch — the attack vector your code review misses.

Install GitHub App View on GitHub
evilmerge — scan
# Scan your repository
$ evilmerge scan .
 
CRITICAL ab90bd7 vite.config.js
          Both parents had identical content.
          Merge result differs — manual edit detected.
 
✓ 23 merge commits checked  |  1 critical issue found
0 False positives
3 Integrations
CLI Works offline
Free For public repos
The problem

Hidden in the merge,
invisible in the PR

When both parent branches contain identical files, Git’s three-way merge algorithm outputs them unchanged. The only way to get a different result is to manually edit files during the merge.

GitHub’s PR diff doesn’t show merge commits. git log doesn’t surface the change. SAST tools scan files, not merge history. The injection is invisible.

This is how malicious code ran undetected in a production repository for several months — on every developer machine and every CI build.

It’s a supply chain attack via code injection — and it bypasses every standard git security tool.

vite.config.js — merge commit ab90bd7 Evil Merge
Parent 1 aa82acb0c335… ← clean
Parent 2 aa82acb0c335… ← clean
Merge 2a54754defae… ← DIFFERENT
When both parents are identical, Git cannot
produce a different output on its own.
How it works

Simple detection,
no false positives

For each merge commit, we reconstruct what Git should have produced and compare it to what the commit actually contains.

Step 01

Find the merge base

Identify the common ancestor of the two parent commits — the starting point for the three-way merge algorithm.

Step 02

Reconstruct expected tree

Run a clean three-way merge of the parent trees. This is what Git would produce with no manual intervention.

Step 03

Compare against reality

Diff the expected tree against the actual merge commit. Any difference is a file manually edited during the merge.

Integrations

Works where you
already work

Three ways to add evil merge detection — pick what fits your workflow.

CLI

Command Line

Scan any repository from the terminal. Supports JSON and SARIF output for GitHub Code Scanning.

brew install fimskiy/tap/evilmerge
evilmerge scan .
Action

GitHub Action

Add to your workflow and get annotations directly on pull requests. Zero configuration.

- uses: fimskiy/Evil-merge-detector@v1
  with:
    fail-on: warning
App

GitHub App

Install once, get automatic checks on every PR. No workflow changes needed.

Install from GitHub Marketplace
→ automatic on every pull request
→ results in GitHub Checks
Pricing

Simple, per-organization
pricing

The CLI and GitHub Action are always free and open source.

Free
$0
For open source and personal projects
  • Public repositories
  • 50 PR scans / month
  • GitHub Checks integration
  • Private repositories
  • Scan history dashboard
  • Unlimited scans
Install for free
Pro
$ 7 /month
For teams and private repositories
  • Public & private repositories
  • Unlimited PR scans
  • GitHub Checks integration
  • Scan history dashboard
  • Priority support
Upgrade to Pro
Protect your codebase

Your next merge could be
hiding something.

Install the GitHub App and start scanning automatically — no workflow changes needed.

Install GitHub App View on GitHub